MODULE — III: 9

Overview of Risk Management, Risk Identifications, Risk Assessment, Risk control,

Quantitative vs Qualitative Risk management practices, Recommended risk control
practices, Process, Secure design through threat modeling, Importance of Policy,
Information Assurance Policy, Policy Development Steps, Certification, Accreditation,
and Assurance.

Overview of Risk Management

Information security risk management, or ISRM, is the process of managing risks

associated with the use of information technology. It involves identifying, assessing, and
treating risks to the confidentiality, integrity, and availability of an organization ’s assets.
The end goal of this process is to treat risks in accordance with an organization’s overall
risk tolerance. Businesses shouldn’t expect to eliminate all risks; rather, they should seek
to identify and achieve an acceptable risk level for their organization.

Stages of ISRM

Risk Identification

• Identify assets: What data, systems, or other assets would be considered your
organization’s “crown jewels”? For example, which assets would have the most
significant impact on your organization if their confidentiality, integrity or availability
were compromised? It’s not hard to see why the confidentiality of data like social
security numbers and intellectual property is important. But what about integrity? For
example, if a business falls under Sarbanes-Oxley (SOX) regulatory requirements, a
minor integrity problem in financial reporting data could result in an enormous cost.
Or, if an organization is an online music streaming service and the availability of
music files is compromised, then they could lose subscribers.
• Identify vulnerabilities: What system-level or software vulnerabilities are putting the
confidentiality, integrity, and availability of the assets at risk? What weaknesses or
deficiencies in organizational processes could result in information being
compromised?
• Identify threats: What are some of the potential causes of assets or information
becoming compromised? For example, is your organization’s data center located in a
region where environmental threats, like tornadoes and floods, are more prevalent?
Are industry peers being actively targeted and hacked by a known crime syndicate,
hacktivist group, or government-sponsored entity? Threat modeling is an important
activity that helps add context by tying risks to known threats and the different ways
those threats can cause risks to become realized via exploiting vulnerabilities.
• Identify controls: What do you already have in place to protect identified assets? A
control directly addresses an identified vulnerability or threat by either completely
fixing it (remediation) or lessening the likelihood and/or impact of a risk being
realized (mitigation). For example, if you’ve identified a risk of terminated users
continuing to have access to a specific application, then a control could be a process
that automatically removes users from that application upon their termination. A
compensating control is a “safety net” control that indirectly addresses a risk.
 Continuing with the same example above, a compensating control may be a quarterly
access review process. During this review, the application user list is cross-referenced
with the company’s user directory and termination lists to find users with unwarranted
access and then reactively remove that unauthorized access when it’s found.

Information Security Risk Assessments

This is the process of combining the information you’ve gathered about assets,
vulnerabilities, and controls to define a risk. There are many frameworks and approaches
for this, but you’ll probably use some variation of this equation:

Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) -

security controls

Note: this is a very simplified formula analogy. Calculating probabilistic risks is not
nearly this straightforward, much to everyone’s dismay.

Risk Management Strategy

Once a risk has been assessed and analyzed, an organization will need to select treatment
options:

• Remediation: Implementing a control that fully or nearly fully fixes the underlying
risk.
Example: You have identified a vulnerability on a server where critical assets are
stored, and you apply a patch for that vulnerability.
• Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it
entirely.
Example: You have identified a vulnerability on a server where critical assets are
stored, but instead of patching the vulnerability, you implement a firewall rule that
only allows specific systems to communicate with the vulnerable service on the
server.
• Transference: Transferring the risk to another entity so your organization can
recover from incurred costs of the risk being realized.
Example: You purchase insurance that will cover any losses that would be incurred if
vulnerable systems are exploited. (Note: this should be used to supplement risk
remediation and mitigation but not replace them altogether.)
• Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is
clearly low and the time and effort it takes to fix the risk costs more than the costs that
would be incurred if the risk were to be realized.
Example: You have identified a vulnerability on a server but concluded that there is
nothing sensitive on that server; it cannot be used as an entry point to access other
critical assets, and a successful exploit of the vulnerability is very complex. As a
result, you decide you do not need to spend time and resources to fix the vulnerability.
• Risk avoidance: Removing all exposure to an identified risk
Example: You have identified servers with operating systems (OS) that are about to
reach end-of-life and will no longer receive security patches from the OS creator.
These servers process and store both sensitive and non-sensitive data. To avoid the
 risk of sensitive data being compromised, you quickly migrate that sensitive data to
newer, patchable servers. The servers continue to run and process non-sensitive data
while a plan is developed to decommission them and migrate non-sensitive data to
other servers.

Risk Communication Strategy

Regardless of how a risk is treated, the decision needs to be communicated within the
organization. Stakeholders need to understand the costs of treating or not treating a risk
and the rationale behind that decision. Responsibility and accountability needs to be
clearly defined and associated with individuals and teams in the organization to ensure
the right people are engaged at the right times in the process.

How Risk Control Works

Modern businesses face a diverse collection of obstacles, competitors, and potential

dangers. Risk control is a plan-based business strategy that aims to identify, assess, and
prepare for any dangers, hazards, and other potentials for disaster—both physical and
figurative—that may interfere with an organization's operations and objectives. The core
concepts of risk control include:

• Avoidance is the best method of loss control. For example, after discovering that a
chemical used in manufacturing a company’s goods is dangerous for the workers, a
factory owner finds a safe substitute chemical to protect the workers’ health.
Avoidance, however, is not always possible.
• Loss prevention accepts a risk but attempts to minimize the loss rather than
eliminate it. For example, inventory stored in a warehouse is susceptible to theft.
Since there is no way to avoid it, a loss prevention program is put in place. The
program includes patrolling security guards, video cameras and secured storage
facilities. Insurance is another example of risk prevention that is outsourced to a third
party by contract.
• Loss reduction accepts the risk and seeks to limit losses when a threat occurs. For
example, a company storing flammable material in a warehouse installs state-of-the-
art water sprinklers for minimizing damage in case of fire.
• Separation involves dispersing key assets so that catastrophic events at one location
affect the business only at that location. If all assets were in the same place, the
business would face more serious issues. For example, a company utilizes a
geographically diverse workforce so that production may continue when issues arise
at one warehouse.
• Duplication involves creating a backup plan, often by using technology. For
example, because information system server failure would stop a company’s
operations, a backup server is readily available in case the primary server fails.
• Diversification allocates business resources for creating multiple lines of business
offering a variety of products or services in different industries. A significant
revenue loss from one line will not result in irreparable harm to the company’s
bottom line. For example, in addition to serving food, a restaurant has grocery stores
carry its line of salad dressings, marinades, and sauces.

No one risk control technique will be a golden bullet to keep a company free from potential
harm. In practice, these techniques are used in tandem with others to varying degrees and
will change as the corporation grows, as the economy changes, and as the competitive
landscape shifts.

Utilizing a Risk and Control Matrix (RACM) for Effective Risk Management

A Risk and Control Matrix (RACM) is a valuable tool used by organizations to better
understand and optimize their risk profiles. It is a structured approach that helps companies
identify, assess, and manage risks by mapping the relationships between potential risks and
the corresponding control measures implemented to mitigate them. The RACM allows
organizations to visualize and evaluate the effectiveness of their risk control strategies and
make data-driven decisions to enhance their risk management practices.

The RACM typically includes the following components:

• Risk identification: The matrix lists all the potential risks an organization may face,
often categorized by business areas, processes, or functions.
• Risk assessment: Each identified risk is assessed based on its likelihood of
occurrence and potential impact on the organization. This assessment helps prioritize
risks and focus resources on the most critical areas.
• Control measures: For each risk, the matrix outlines the specific control measures
implemented to mitigate or reduce the likelihood and impact of the risk. These
measures can include policies, procedures, systems, or other mechanisms designed to
manage the risk.
• Control effectiveness: The RACM evaluates the effectiveness of each control
measure, taking into account factors such as the level of compliance, the adequacy of
the control design, and the control's ability to detect or prevent the risk from
materializing.
• Action plans: Based on the assessment of control effectiveness, the matrix may
include action plans for improving risk control measures or addressing identified
gaps in the organization's risk management practices.

By creating and maintaining an up-to-date RACM, organizations can gain a comprehensive

understanding of their risk landscape and the effectiveness of their risk control measures.
This information can inform strategic decision-making, guide resource allocation, and
support continuous improvement in risk management practices.

RCAM Example

Example of a Hypothetical RCAM

Business Risk Likeliho Impa Risk Control Control Action
Area Descriptio od ct Ratin Measure Effectiven Plan
n g ess
Finance Fraudulent Medium High High Implement Effective Regular
transaction strong ly
s access review
controls access
controls
 Regular Effective Increas
audits and e audit
reconciliati frequen
ons cy
HR Employee Low High Mediu Secure Effective Monitor
data breach m storage and for new
encryption security
of data threats
Employee Partially Enhanc
training on effective e
data training
privacy progra
practices m
Operatio Supply High High High Diversify Effective Expand
ns chain suppliers supplier
disruption and sources network
Maintain Effective Adjust
inventory safety
safety stock stock
levels
IT Cybersecur High High High Regular Effective Increas
ity attacks security e
updates and frequen
patches cy of
updates
Employee Partially Improv
training on effective e
cybersecuri training
ty practices content
This RCAM example outlines different risk categories, such as Finance, HR, Operations,
and IT, and includes specific risks within each category. The likelihood and impact of each
risk are assessed, leading to an overall risk rating. Control measures are then listed, along
with an evaluation of their effectiveness. Finally, action plans are proposed to enhance risk
control measures or address identified gaps in risk management.

Keep in mind that this is just a simplified example, and an actual RACM for an organization
would likely be more detailed and cover a broader range of risks and controls.

Quantitative vs Qualitative Risk management practices

What is quantitative risk management?

Quantitative risk management in project management is the process of converting the impact
of risk on the project into numerical terms. This numerical information is frequently used to
determine the cost and time contingencies of the project.

What is quantitative risk analysis?

A quantitative assessment is a risk analysis performed with a focus on numerical values of
the risks present. The quantitative risk analysis allows you to determine the potential risk of a
project. This can help you decide if a project is worth pursuing. It also is useful in the
development of project management plans, as understanding the risks present allows you to
reduce the likelihood of certain risks and to prepare for others that you cannot fully eliminate.

Benefits of quantitative risk analysis

When performing a risk analysis, the first decision is whether you want to perform a
qualitative or quantitative assessment. These are the top reasons you may choose to perform a
quantitative risk analysis:

• Objective assessment: Because a quantitative assessment involves assigning

numerical values to each risk, it returns objective results. Conversely, a qualitative
assessment expresses risk in subjective terms, which people may interpret differently.
Objective estimates help ensure that all parties have the same understanding of the
projected risks.
• Detailed information: A quantitative assessment breaks down a project by the
expected cost of each potential risk. This allows you to focus reduction efforts on the
risks deemed "most likely" or "most costly."
• Client confidence: When presenting a project assessment to a potential client, the
specificity of a quantitative assessment may provide more confidence because there is
little room for misinterpretation. By providing your client with a specific number
regarding potential financial risk, they can more confidently make their decision about
the proposal.
• Improved decision making: By creating risk assessments with objective measures,
you and others involved in decision making have an accurate assessment of potential
risks. This can help you make the best decision for the company.

Related: What Is Risk Analysis in Business?

Quantitative risk analysis methods

Quantitative risk analysis does not refer to one specific method of determining potential risk.
It is a category of analysis styles, so you can choose the method that best suits your needs.
Common types of quantitative risk analysis include the following:

• Expected monetary value (EMV) risk analysis: This is the most simple form of
quantitative risk analysis. In an EMV analysis, all you need is an expected cost of a
risk you face and the probability of that risk occurring. You often set these values
through a combination of analyzing data, consulting with experts and estimating from
experience. By multiplying the cost of each risk by its probability and adding up all
the resulting numbers, you generate an overall projected risk amount for the project.
• Decision tree risk analysis: A decision tree allows you to assess the risk of one or
more choices. Each tree represents a choice as well as any costs associated with it.
Assign probabilities and costs at each point. By following a chain and adding all the
costs along it, you identify which choice paths offer the lowest risk.
• Monte Carlo risk analysis: A Monte Carlo analysis creates a range of potential
outcomes and is best used around risks related to project duration or yield. In a Monte
Carlo analysis , you often assign the highest probability to the expected outcome. As
 outcomes get further from this expectation, assign lower probabilities. Estimate costs
for each outcome and combine with the probabilities for each to find the total
expected cost.
• Sensitivity risk analysis: Sensitivity assessment allows you to examine uncertainty
within a risk analysis and determine which elements are most responsible for
uncertainty. For example, in a project with two key components, if the more
expensive component is stable and the less expensive is highly variable, the latter
would be responsible for more uncertainty, even though it is a smaller fraction of the
overall cost. Identifying sensitive components may allow you to identify methods of
reducing uncertainty and make estimates more exact.
• Three point risk analysis: Three point analysis is a method of determining the
expected cost of a risk on a project. To calculate a three point assessment, determine
the most likely cost of a risk, your most optimistic cost of a risk and most pessimistic
cost of a risk. For a basic triangular three point risk analysis, add all three numbers
then divide by three. A more common approach to three point analysis is the beta
distribution. Multiply the most likely value by four, then add the optimistic and
pessimistic values and divide the total by six.

Quantitative versus qualitative risk analysis

A qualitative risk analysis is the primary alternative to a quantitative risk analysis. Although
there are many significant benefits to quantitative analysis listed above, there are also reasons
that you may prefer to perform a qualitative assessment instead.

Steps in the quantitative risk analysis process

If you are planning a project and want to calculate your potential risks, quantitative analysis
is an excellent option. Follow these steps to perform a simple quantitative risk analysis:

1. Identify areas for uncertainty

No matter which method of performing a quantitative or qualitative risk analysis you use, in
order to generate an accurate assessment, it's important that you do not overlook any potential
areas for risk within the project.

When identifying areas of potential risk, examine every step of the project. Using a project
outline or management plan that breaks the overall project into smaller sections is an
excellent way to search for areas where risk or uncertainty exist. For example, a construction
company building a home in Florida during the late summer knows that there is an elevated
risk of severe weather like hurricanes, which could impact development schedules.

Create a list of all areas of potential risk, noting the phase of the project, the potential risk that
you identified and how that risk can affect the execution of the project. Common effects
include making costs increase, causing delays or reducing the quality of the output.

2. Assess the costs of each risk

Once you have identified where risk exists within your project, you can calculate the relative
cost of each risk. To do this, determine the expected cost when each potential risk occurs. For
basic risks that are likely to present the same way any time they occur, simply record the
expected cost of remedying the risk.

For complicated risks that may have variable costs, there are two methods of identifying this
number. The easier option is to decide upon an average cost for all potential responses to the
risk. A more accurate option is to further breakdown variable risks into multiple items.

For example, the construction company that is building a home in Florida assesses the
potential ranges of weather delays and how costly each would be. In some situations, severe
weather could cause a minor interruption, but in others, the results might be more extensive.
Rather than creating one entry in the analysis for adverse weather, the company includes an
item for mild weather delays and an item for severe weather delays.

Related: 5 Risk Analysis Methods and How To Use Them

3. Determine the probability of each risk occurring

The total numbers identified in the prior step are a listing of all potential risks, which means
you are unlikely to encounter all of them over the course of one project. In order to determine
how much risk your project carries, you then have to determine how likely it is that each risk
may occur.

The two most important elements when calculating probabilities are research and experience.
The more you know about each scenario, the more accurately you can estimate the chances that
a problem will occur during execution. With the hypothetical construction project mentioned
above, for example, a contractor may study weather patterns for the period of planned
construction so they can more accurately predict the chances of having no delays, mild delays
or severe delays.

Seeking outside help during this step is an excellent option to increase the accuracy of your
estimates. This is particularly important for any areas where you have minimal experience. An
expert can more accurately set a probability for a type of risk, which makes your overall
calculations more accurate.

4. Calculate the expected cost of each potential risk

Determining the expected cost of each risk is as simple as multiplying the estimated cost of
each error by its probability. If you wrote your probabilities out as percentages instead of
fractions or decimals, divide the resulting number by 100 to find the expected risk costs of
each element. To calculate the total estimated cost of risk on the project, add up the risk costs
for each individual element.
RECOMMENDED RISK CONTROL PRACTICES
 Process

Secure design through threat modelling

What is threat modeling?

Threat modeling is a procedure for optimizing application, system or business process security
by identifying objectives and vulnerabilities, and then defining countermeasures to prevent or
mitigate the effects of threats to the system.
Threat modeling helps to identify the security requirements of a system or process -- anything
that is mission-critical, processing sensitive or made up of valuable data. It is a systematic and
structured process that aims to identify potential threats and vulnerabilities to reduce the risk
to IT resources. It also helps IT managers understand the impact of threats, quantify their
severity and implement controls.

In terms of software security, threat modeling is the most important part of software design and
development. It is impossible to build applications and systems that comply with
corporate security policies and privacy and regulatory requirements without evaluating and
mitigating threats.

IT-based threat modeling gained traction in the 1990s with the development of threat and
attacker profiles. Microsoft introduced its STRIDE (Spoofing, Tampering, Repudiation,
Information Disclosure, Denial of Service, and Elevation of Privilege) threat modeling
methodology in 1999. There are now many other approaches. They all involve deconstructing
the elements of an application or system to identify the assets to be protected and the possible
threats to be mitigated. A threat modeling methodology is a way to break down a complex
process into smaller tasks making it easy to spot weaknesses.

How does the threat modeling process work?

There are several different threat modeling frameworks and methodologies. However, the key
steps are similar in most of these processes. They include:

1. Form a team. This team should include all stakeholders, including business
owners, developers, network architects, security experts and C-level execs. A
diverse team will generate a more holistic threat model.

2. Establish the scope. Define and describe what the model covers. For example, is
it focused on an application, a network or the application and the infrastructure it
runs on? Create an inventory of all components and data included and map them to
architecture and data flow diagrams. Each data type must be classified.

3. Determine likely threats. For all components that are threat targets, determine
where threats exist. This what-if exercise builds broad, technical and unexpected
threat scenarios, including threat or attack trees to identify possible vulnerabilities
 or weaknesses that could lead to compromise or failure. Threat modeling tools can
help automate and streamline this step.

4. Rank each threat. Determine the level of risk each threat poses and rank them to
prioritize risk mitigation A simple but effective approach is to multiply the damage
potential of a threat by the likelihood of it occurring.

5. Implement mitigations. Decide how to mitigate each threat or reduce the risk to
an acceptable level. The choices are to avoid risk, transfer it, reduce it or accept it.

6. Document results. Document all findings and actions, so future changes to the
application, threat landscape and operating environment can be quickly assessed
and the threat model updated.

Threat modeling best practices

There are several steps to take to ensure an effective approach to threat modeling. Some of
them include:

• Start early. Threat modeling can be done at any time during a project, but earlier
is better as the findings can help ensure the design is secure. It is also quicker and
cheaper to add security controls early in the build process.

• Get a lot of input. Soliciting input from a variety of stakeholders helps identify
the widest range of potential adversaries, motives, threats, and where the most
vulnerable components reside.

• Use a variety of tools. There are many tools available, including some unusual
approaches. For instance, the University of Washington's Security Cards are
a brainstorming tool that helps discover less common or novel attacks and how
best to respond to them.
 • Understand risk tolerance. Business owners in particular must fully understand
and communicate their risk-tolerance levels so the correct approaches to threat
mitigation can be chosen to ensure business goals are met.

• Educate everyone. Train everyone involved in the different aspects of threat

modeling, so their inputs can be maximized. As always with security, threat
modeling is an iterative development

IMPORTANCE OF POLICY
What is the Purpose of Policies and Procedures?

Although policies and procedures may differ across various organizations, their core purpose
remains the same. They encourage consistency and foster a cohesive environment whereby
accomplishing multiple tasks is straightforward. Therefore, they help employees stay on track
and companies reach their goals while avoiding unwanted occurrences.

Furthermore, these strategies provide instruction on how staff are expected to operate. For
example, a policy might outline the discussion topics of a bi-annual performance review, and
the procedure to follow is a scheduled meeting. Policies and procedures extend throughout all
roles within a business, instructing based on methods that each business finds suitable for them.
They may focus on various benchmarks a company must meet for their industry or be the result
of an amalgamation of experiences and ideas that streamline a new process.
Policies and procedures also calculate the potential risk associated with certain tasks. They are
a manageable, measurable way of determining factors that a business might find undesirable
or unacceptable.

The Importance of Following Policies and Procedures.

While it may seem obvious, highlighting the importance of organizational policies and
procedures can help employees observe these strategies in an improved light. Some may be
required by law, while others aim to reduce confusion or increase accessibility.

Regulatory Requirements:

Certain sectors are required to meet legal conditions in order to remain operable and in good
standing. If your company functions globally, there may be unique regulations associated with
your business that are specific to some continents and countries. At WhistleBlower Security,
we aim to provide solutions regarding keeping up with ethics management so nothing slips
through the cracks.

Consistency:

Turnover and structural shifts can lead to intense feelings of uncertainty surrounding a change
in any workplace. What shouldn’t change is your company’s commitment to proper and
cemented policies and procedures to ensure processes remain the same. Clear expectations
allow for consistency. Not only will this help with current employees, but it also creates a
supportive environment for new hires.

Workplace Safety:

Ensuring safety in the workplace falls in line with any and every business. Creating a healthy
environment where employees feel that their health and security are valued allows them to
perform at their best. The extent of your safety policies and procedures will be unique to your
industry, but their main goals are to reduce the potential for accidents, liability risks, and
interruptions.

Better Quality Service:

Service standards are often set to deliver quality customer interactions and meet their
expectations. Following proper policies and procedures in this area means that employees can
provide regular support to clients, enhance the quality of products and services, and thus
improve a brand’s reputation.
Accountability:

Understanding a company’s mission and vision as an employee means aligning with the
policies and procedures that help to achieve it. However, it is possible for a staff member to
feel under or overwhelmed by measures that they cannot meet. Accountability means meeting
these employees where they are and looking at their role as it relates to the business. These
methods can help to identify issues before they become more significant problems.

How to Implement Policies and Procedures?

Now that we have established the importance of organizational policies and procedures,
implementing them is the next step. Even with well-established methods, there is always room
to improve. These processes should be presented so that all employees can access, understand,
and, most importantly, retain the information.

Accessible Policy Manuals:

Accessibility will vary from industry to industry. Perhaps computers are not a vital component
of day-to-day work, so a printed copy of necessary strategies and an in-person review will be
required. Additionally, you may want to consider the design and flow of how this information
is presented. Blocks of text without visual aids or hands-on experience are less engaging,
leading to reduced retention. Depending on how you implement your policy manual, ensure
that it can be easily updated and well-indexed should employees need to reference it in the
future.

Regular Review of Policies and Procedures:

The adage, “if it ain’t broke, don’t fix it,” need not apply to policies and procedures. Updates
are necessary for growth and employee engagement, and the failure to recognize that something
could be done more efficiently can raise concerns.

Take a look at what is working and what needs improvement. For example, if you are struggling
with finding the right tools to use, Whistleblower Security’s case management is a way to
ensure compliance with policies and procedures and eliminate guesswork. New and innovative
software can make implementing improvements to existing methods straightforward and
adaptable.

Training Courses:

A digital PDF and email reminder to review might be where your concern for training starts
and stops. But measuring completion is vital to ensuring employees actually gain knowledge
from the material available to them. Training takes place to absolve confusion and align
teachings with what is expected in that role.

Test your employee’s comprehension through various methods, such as in-person

demonstrations or online modules. Set up tasks where they can continue with independent or
group training to improve their performance and feel confident in their abilities.

Information Assurance Policy

What is information assurance?

“Assurance” in security engineering is defined as the degree of confidence that the security
needs of a system are satisfied.

Information assurance (IA) is the practice of assuring information and managing risks
related to the use, processing, storage and transmission of information. Information
assurance includes protection of the integrity, availability, authenticity, non-repudiation and
confidentiality of user data.

Undetected loopholes in the network can lead to unauthorized access, editing, copying or
deleting of valuable information. This is where information assurance plays a key role.

What is the goal of information assurance?

The purpose of IA is to reduce information risks by ensuring the information on which the
business makes decisions is reliable. This purpose is achieved by following:

• Risk management: Businesses face legal fines and penalties if the information in the
network is compromised. IA enables risk assessment to identify vulnerabilities and the
potential impact on the business in terms of compliance, cost and operational continuity.
The goal is to mitigate potential threats.
• Encryption at rest and in transit: IA mandates end-to-end encryption to protect
privacy by ensuring no human or computer can read data at rest and in transit except
the intended parties. The goal is to help businesses stay compliant with regulatory
requirements and standards.
• Data integrity: Bad business decisions usually stem from bad data. IA focuses on
auditing data collection and tracking process, improving transparency in the
organizational process. The goal is to manage data in a way that a future audit can
retrace the process, leading to better decision-making.

Why do we need information assurance?

Adopting good IA best practices provides several benefits:

• Operational benefits:
• Resilient business processes
• Improved customer service
 • Better information usage
• Improved responsiveness
• Tactical benefits:
• Easy compliance
• Better understanding of business opportunities
• Commitment from business partners and customers
• Strategic benefits:
• Better governance
• Cheaper equity
• More sales
• Lower costs
• Organizational benefits:
• Improved shareholder value
• Gain competitive advantage
• License to operate

How does information assurance work?

Information assurance is a strategic endeavor that extends beyond simply IT. The reality is
that the legal and reputational ramifications that ensue from a data breach affect the entire
organization. A proper security framework helps protect your organization and customers.
IA is a work in progress that includes:

• Strategy: Develop Governance, Risk and Compliance (GRC) readiness by evaluating

maturity as compared to your peers. Utilize key use cases to identify gaps and build
roadmaps. Rationalize and prioritize GRC initiatives by aligning the essential
requirements of your information and infrastructure with the organization’s
objectives.
• Design: Design GRC programs and models to align with organizational policies.
Exposures and risks should be quantified and classified to evaluate defined metrics.
Once established, use these findings to define mitigation steps to manage risk and
optimize speed, accuracy and efficiency of resolution.
• Implementation: Implement processes, policies, controls and technology that
monitor operations against key metrics. Measure potential exposures in personnel,
processes and technology controls in the context of IT infrastructure
interdependencies.
• Operations: Mitigate exposures through continuous enforcement of policies. Detect
violations and measure outcomes in comparison to your desired state. Use these
learnings to continuously improve processes to maximize synergies and optimize
outcomes.

Who is responsible for information assurance?

Conventionally, IA is seen as an incoherent function that is solely exclusive to the IT

department. The reality is that the legal and reputational ramifications that ensue from a
data breach affect the entire organization. It is essential to create a security-centric culture
from top to bottom, with a focus on complying with information security regulations.

What are the five pillars of information assurance?

The CIA triad is considered the first model of information assurance introduced to define
effective practices of assuring information security and integrity. Here are the following
five pillars of IA that make information networks safe against all threats:

• Integrity (protection of information systems and assets)

• Availability (dependable access to information systems by authorized users)
• Authentication (the process of restricting access and confirming the identity of users)
• Confidentiality (restriction of access to authorized users only)
• Non-repudiation (forensic tracking to create a reliable “paper trail” of all actions)

Policy Development Steps

Identifying the Problem and Agenda Setting

Identifying the problem involves addressing what is happening and why it is an issue. In
criminal justice, this might look at the increase of opioid use and overdoses or acts of youth
violence. Once the issue is identified, there can be a serious debate about the plans of the policy.
Once it is decided what the policy will look like, it is placed on the agenda. This is perhaps the
most politicized part of the process as it involves many different stakeholders. It involves
identifying the legislative, regulatory, judicial, or other institutions responsible for policy
adoption and formulation.

Formulation and Adoption

The next stage involved adopting the policy. Depending on the nature of the policy, this could
involve a new law or an executive order.

Implementation of the Policy

Implementation is about moving forward, taking action, and spending money. It involves hiring
new staff or additional police officers. This is where policies often stall because of the lack of
funding. For example, a popular program in 1990, Weed and Seed, involved “weeding” out
criminals (targeting arrest efforts) and “seeding” new programs (instituting after-school
programs, drug treatment facilities, etc.). The weeding portion of the program was a great
success, but the program ultimately failed because of a lack of funding to adequately seed new
community programming. Funding is a major roadblock for proper implementation.

Evaluation

Finally, the evaluation examines the efficacy of the policy. There are three different types of
evaluation: Impact, Process, and Cost-benefit analysis. Impact (outcome) evaluations focus
on what changes after the introduction of the crime policy. [1] Changes in police patrol practices
aimed at reducing the level of residential burglaries in an area are evaluated in terms of
subsequent burglaries. The difficulty with impact evaluations is that changes in the crime rate
are rarely, if ever, due to a single intervening variable. For example, after the implementation
of curfew laws for juvenile offenders, juvenile crime decreased. Can we say that was because
of curfew laws? The entire crime rate for America decreased at the same time. Attributing a
single outcome based on a solitary intervention is problematic.

Process evaluations consider the implementation of a policy or program and involve

determining the procedure used to implement the policy. These are detailed, descriptive
accounts of the implementation of the policy including the goals of the program, who is
involved, the level of training, the number of clients served, and changes to the program over
time. [2] Unfortunately, process evaluations do not address the actual impact policy has on the
crime problem, just what was done about a specific issue or who was involved. While this is
indeed a limitation, it is essential to know the inner workings of a program or policy if it is to
be replicated.

Cost-benefit evaluations, or analysis, seeks to determine if the costs of a policy are justified
by the benefits accrued. A ubiquitous example of this would be an evaluation of the popular
anti-drug D.A.R.E. program of the 1980s and 1990s. The D.A.R.E. program was a school-
based prevention program aimed at preventing drug use among elementary school-aged
children. Rigorous evaluations of the program show that it was ineffective and sometimes
actually increased drug use in some youth. The cost of this program was roughly $1.3 billion
dollars a year (about $173 to $268 per student per year) to implement nationwide (once all
related expenses, such as police officer training and services, materials and supplies, school
resources, etc., were factored in). [3] Using a cost-benefit analysis, is that a good use of money
to support an ineffective program?

Certification, Accreditation, and Assurance.

 CERTIFICATE OF ASSURANCE

Certificates of Assurance (COA) are a crucial part of the Quality Control process for the
manufacturing industry. They provide assurance that all components and processes have been
monitored, meet or exceed company standards.

Why should you care about Certificates of Assurance?

COAs are crucial documentation that proves that all requirements for quality standards have
been met or exceeded. COA documents certify that an organization has assessed its
operations to ensure it meets the necessary criteria for quality standards. COAs are also
known as certificates of compliance, certificates of competency, certificates of intent, and
certificates of conformance. COAs provide accurate records proving what has been done and
what hasn't been done. COAs help an organization own its actions and documents it in order
to keep the organization accountable to the public.

The benefits of automated production certificates:

Ø A certificate of assurance can be seen as a shield against lawsuits, liability, and poor
customer service reviews as it documents each step of the production process.

Ø COAs also help companies identify problems with their production processes so they can
take action before defective products go out into the market.

Ø Reduce paperwork with automated COAs that can be accessed and presented in different
convenient formats.

Ø Proactive business process is possible as manufacturers can ship products manufacturer

with the COA report, eliminating any doubt about production quality.

Ø COAs can also help employees keep track of what has been accomplished and if it is up to
internal and industry process standards.